JSVC and Grizzly

JSVC and Grizzly

Hi all,

I am trying to use JSVC to bind to a privileged port while root, than
run the application as a separate user. This would require that I bind
the port separate from starting the server (accepting connections /
creating a thread pool, etc)

The issue I am facing is in NetworkListener.start() - this call
combines the TCPNIOTransport.bind and the TCPNIOTransport.start.

Additionally, it appears that TCPNIOTransport.bind also listens on the
port as well.

Any suggestions on how to separate binding to the port from the rest of
the operations? Or alternatively, any suggestions on how to bind to
Grizzly a privileged port? Specifically - has anyone used authbind with
Grizzly?

Re: JSVC and Grizzly

Looking at the JSVC documentation, it appears it already supports [1]
this functionality (-user option). I don't believe you need to do
anything special with the application's initialization code.
I'd recommend following up with the jsvc creators to confirm this -
particularly, if it isn't working.

[1] Jsvc allows the application (e.g. Tomcat) to perform some privileged
operations as root (e.g. bind to a port < 1024), and then switch
identity to a non-privileged user.

> Hi all,
>
> I am trying to use JSVC to bind to a privileged port while root, than
> run the application as a separate user. This would require that I bind
> the port separate from starting the server (accepting connections /
> creating a thread pool, etc)
>
> The issue I am facing is in NetworkListener.start() - this call
> combines the TCPNIOTransport.bind and the TCPNIOTransport.start.
>
> Additionally, it appears that TCPNIOTransport.bind also listens on the
> port as well.
>
> Any suggestions on how to separate binding to the port from the rest of
> the operations? Or alternatively, any suggestions on how to bind to
> Grizzly a privileged port? Specifically - has anyone used authbind with
> Grizzly?
>
> Thanks!
> - Scott

Re: JSVC and Grizzly

it's not possible at the moment, but if you can provide more details on
JSVC (based on your question, it should have some programmatic API),
specifically how you think it should work with Grizzly HttpServer, may
be some *fake* code, which will demonstrate that (I see you spent some
time learning Grizzly code, so probably you have some ideas :)). We can
try to implement this feature and include it into the 2.3.4 release
(we're planning 2.3.4 release this week).

> Hi all,
>
> I am trying to use JSVC to bind to a privileged port while root, than
> run the application as a separate user. This would require that I bind
> the port separate from starting the server (accepting connections /
> creating a thread pool, etc)
>
> The issue I am facing is in NetworkListener.start() - this call
> combines the TCPNIOTransport.bind and the TCPNIOTransport.start.
>
> Additionally, it appears that TCPNIOTransport.bind also listens on the
> port as well.
>
> Any suggestions on how to separate binding to the port from the rest of
> the operations? Or alternatively, any suggestions on how to bind to
> Grizzly a privileged port? Specifically - has anyone used authbind with
> Grizzly?
>
> Thanks!
> - Scott

Tried to bind to to test port 81 from start(), but failed! - "Permission denied"

Accepting connections on 80...

Stopping....

exiting thread...

Destroying...

You can see that the server was able to bind to a privileged port in init, but not in start. What I didnt fully understand is that JSVC appears to be using Linux capabilities to pull all this off (CAP_NET_BIND_SERVICE). Therefore, the danger of starting something from init is less than I thought (I cant open a file owned and only readable by root, for example). This little experiment has suggested I should probably talk to the JSVC guys a bit more before you make any changes... Once I hear back more lets continue this discussion.

it's not possible at the moment, but if you can provide more details on JSVC (based on your question, it should have some programmatic API), specifically how you think it should work with Grizzly HttpServer, may be some *fake* code, which will demonstrate that (I see you spent some time learning Grizzly code, so probably you have some ideas :)). We can try to implement this feature and include it into the 2.3.4 release (we're planning 2.3.4 release this week).

I am trying to use JSVC to bind to a privileged port while root, than
run the application as a separate user. This would require that I bind
the port separate from starting the server (accepting connections /
creating a thread pool, etc)

The issue I am facing is in NetworkListener.start() - this call
combines the TCPNIOTransport.bind and the TCPNIOTransport.start.

Additionally, it appears that TCPNIOTransport.bind also listens on the
port as well.

Any suggestions on how to separate binding to the port from the rest of
the operations? Or alternatively, any suggestions on how to bind to
Grizzly a privileged port? Specifically - has anyone used authbind with
Grizzly?